Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

Koudai Hatakeyama,Daisuke Kotani,Yasuo Okabe

DOI: https://doi.org/10.48550/arXiv.2204.05471

2022-04-12

Cryptography and Security

Abstract:Public key authentication (PKA) has been deployed in various services to provide stronger authentication to users. In PKA, a user manages private keys on her devices called authenticators, and services bind the corresponding public keys to her account. To protect private keys, a user uses authenticators which never export private keys outside. On the other hand, a user regularly uses multiple authenticators like PCs and smartphones. She replaces some of her authenticators according to their lifecycle, such as purchasing new devices and losing devices. It is a burden for a user to register, update and revoke public keys in many services every time she registers new accounts with services and replaces some of her authenticators. To ease the burden, we propose a mechanism where users and services manage public keys based on the owner of authenticators and users can access services with PKA using any of their authenticators. We introduce a key pair called an Ownership Verification Key (OVK), which consists of the private key (OVSK) and the corresponding public key (OVPK). All authenticators owned by a user derive the same OVSK from the pre-shared secret called the seed. Services verify the ownership of the authenticators using the corresponding OVPK to determine whether binding the requested public key to her account. To protect user privacy while maintaining convenience, authenticators generate a different OVK for each service from the seed independently. We demonstrate the feasibility through the Proof of Concept implementation, show that our proposed mechanism achieves some security goals, and discuss how the mechanism mitigates threats not completely handled.

Yuanchao Shu,Yu (Jason) Gu,Jiming Chen

DOI: https://doi.org/10.1109/tpds.2013.153

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial, and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges cannot be transferred among trusted users. In this work, we introduce a dynamic authentication with sensory information for the access control systems. By combining sensory information obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss, stolen, and duplication. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with sensory information of different sensors and empirically demonstrate simple rotations can increase key space by more than 1,000,000 times with an authentication accuracy of 90 percent. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Zhi-Yu Peng,Shan-Ping Li

DOI: https://doi.org/10.1109/icmlc.2008.4620616

2008-01-01

Abstract:As pervasive computing leading to an increased collection of information in the computational world as well as the real world, privacy leaking becomes a serious issue. Although privacy protection has drawn great attention in recent years, the privacy-preserving trust management has not been brought forward. Credential chain discovery problem is the key issue in trust management, and traditionally credentials are full open in the whole system. This could expose users' access control policies as well as other private information, and leads to a great risk of being cheated by malicious users. This paper advocates a privacy-preserving credential chain discovery mechanism, in which credentials are no longer available to everyone. By merely learning credentials of one's logic neighbors, this mechanism still achieves good results. The simulations show that this mechanism is practical.

Qiuhua Wang,Huifang Chen,Lei Xie,Kuang Wang

DOI: https://doi.org/10.1002/sec.429

IF: 1.968

2012-01-01

Security and Communication Networks

Abstract:The self-healing group key distribution scheme with revocation can deal with the problem of distributing session keys for secure group communication over an unreliable wireless network, with the capability to resist packet loss and collusion attack. However, existing access-polynomial-based self-healing key management schemes have some problems, such as the small number of active group members, much redundancy in the key updating broadcast packet, and limited collusion attack resistance capability. In order to increase the number of active group members and improve the performance of self-healing group key distribution schemes, we propose a self-healing group key distribution scheme based on the access polynomial and one-way hash key chain for resource-constrained wireless networks in this paper. In our proposed scheme, by binding the time at which the user joins the group with the capability of recovering previous group session keys, some novel methods to construct the personal secret, the access polynomial, and the session key updating broadcast packet are presented. Compared with existing schemes under same conditions, analysis and simulation results show that our proposed scheme not only supports much more group members and sessions, but also provides a stronger security, considering that it can deal with more colluding users. Moreover, our proposed scheme is especially suitable to resource-constrained wireless networks in a very bad environment. Copyright © 2012 John Wiley & Sons, Ltd.

Jianqing Fu,Chunming Wu,XiaoPing Chen,Rong Fan

DOI: https://doi.org/10.1109/iccet.2010.5485559

2010-01-01

Abstract:Nowadays, the use of Radio Frequency Identification (RFID) systems in industry and stores has increased. Nevertheless, some of these systems present problems that may discourage potential users. Hence, high confidence and efficient privacy protocols are urgently needed. Previous studies to achieve privacy authentication can be grouped into tree-based and synchronization approaches. But all of the tree-based designs are not suitable to large scale RFID systems, and most of the synchronization designs have security flaws. So in this paper, we propose a scalable pseudo random RFID private mutual authentication protocol (SPRA) to archive both scalable and security. The analysis results show that SPRA effectively enhances the security protection for RFID private authentication, and has the authentication efficiency of O(1).

齐竞艳,丁剑,崔伟,黄皓

2004-01-01

Abstract:This paper introduces a mechanism of key management, which enables users to control the backup and recovery process of subscribed private key with minimal security risks and lowest cost. This solution ensures that no other individuals or organizations (even the Certificate Authority and Key Management Center) than the user himself can access to the private keys. And it enables the easy recovery of a lost private key and the safe distribution of that key to the user. When corresponding strict requirements are met.

Mehmet Aydar,Salih Cemil Cetin,Serkan Ayvaz,Betul Aygun

DOI: https://doi.org/10.48550/arXiv.1907.04156

2019-07-09

Cryptography and Security

Abstract:The disruptive technology of blockchain can deliver secure solutions without the need for a central authority. In blockchain protocols, assets that belong to a participant are controlled through the private key of an asymmetric key pair that is owned by the participant. Although, this lets blockchain network participants to have sovereignty on their assets, it comes with the responsibility of managing their own keys. Currently, there exists two major bottlenecks in managing keys; $a)$ users don't have an efficient and secure way to store their keys, $b)$ no efficient recovery mechanism exists in case the keys are lost. In this study, we propose secure methods to efficiently store and recover keys. For the first, we introduce an efficient encryption mechanism to securely encrypt and decrypt the private key using the owner's biometric signature. For the later, we introduce an efficient recovery mechanism using biometrics and secret sharing scheme. By applying the proposed key encryption and recovery mechanism, asset owners are able to securely store their keys on their devices and recover the keys in case they are lost.

Jihwan Kim,Pyung Kim,Younho Lee,Daeseon Choi

DOI: https://doi.org/10.3390/math12060830

IF: 2.4

2024-03-13

Mathematics

Abstract:This paper delves into the advantages of authentication algorithms employing self-sovereign identity, highlighting a reduced communication overhead and the elimination of single points of failure. However, it acknowledges the vulnerability of digital wallets to real-world issues like loss or theft. To address these challenges, we propose an efficient key backup and recovery protocol based on the FROST threshold signature algorithm. This protocol involves trusted third parties and backup devices, ensuring secure secret key sharing and rapid key recovery. Performance evaluations, including key recovery time, demonstrate the protocol's efficiency and reliability, bolstering the overall robustness of self-sovereign identity systems.

mathematics

Chaowen Guan,Kui Ren,Fangguo Zhang,Florian Kerschbaum,Jia Yu

DOI: https://doi.org/10.1007/978-3-319-24174-6_11

2015-01-01

Abstract:Proofs-of-Retrievability enables a client to store his data on a cloud server so that he executes an efficient auditing protocol to check that the server possesses all of his data in the future. During an audit, the server must maintain full knowledge of the client's data to pass, even though only a few blocks of the data need to be accessed. Since the first work by Juels and Kaliski, many PoR schemes have been proposed and some of them can support dynamic updates. However, all the existing works that achieve public verifiability are built upon traditional public-key cryptosystems which imposes a relatively high computational burden on low-power clients (e.g., mobile devices).In this work we explore indistinguishability obfuscation for building a Proof-of-Retrievability scheme that provides public verification while the encryption is based on symmetric key primitives. The resulting scheme offers light-weight storing and proving at the expense of longer verification. This could be useful in apations where outsourcing files is usually done by low-power client and verifications can be done by well equipped machines (e.g., a third party server). We also show that the proposed scheme can support dynamic updates. At last, for better assessing our proposed scheme, we give a performance analysis of our scheme and a comparison with several other existing schemes which demonstrates that our scheme achieves better performance on the data owner side and the server side.

Peng Li,Junzuo Lai,Dehua Zhou,Ye Yang,Wei Wu,Junbin Fang

DOI: https://doi.org/10.1016/j.comnet.2023.109828

IF: 5.493

2023-05-25

Computer Networks

Abstract:Incentive-based applications enable users to obtain rewards after they complete a task, but how to balance the privacy and accountability is one of the most serious concerns currently. Publicly accountable anonymous authentication provides an excellent way verifying a user's identity in a privacy-preserving way while ensuring public accountability in case of dispute. Although different kinds of these schemes have been proposed, they all assume that there is a single centralized certificate authority issuing a certificate to users, and are not suitable for an actual scenario which always involves multiple authorities. Therefore, a new primitive called multi-authority linkable and traceable anonymous authentication is proposed to address this issue, enabling privacy protection while holding public accountability under a multi-authority setting. We formally define a security model for this new notion and simultaneously design a generic construction while giving the security proof. Additionally, we implement the proposed scheme to show its efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yi Sun,Qiaoyan Wen,Hongxiang Sun,Wenmin Li,Zhengping Jin,Hua Zhang

DOI: https://doi.org/10.1016/j.proeng.2011.12.731

2012-01-01

Procedia Engineering

Abstract:In traditional group key transfer protocol, the key generation center randomly selects a session key and then transports it that has been encrypted by another secret key. Afterwards, scholars construct authenticated key transfer protocols based on secret sharing instead of encryption algorithm. One typical protocol of this style is built by using the secret sharing scheme based on Language's interpolation polynomial. In this paper, we utilize an optimized secret sharing scheme instead of Language's interpolation polynomial. We provide mutual authentication to ensure that only the authorized group members can recover the right session key. What's more, all participants only need to store one secret share for all sessions. Besides, the change of the group members has no effect on the validity of the existing shares, which means the existing shares possess the excellent characteristic “one time assign, many times apply”.

Genqing Bian,Rui Zhang,Bilin Shao

DOI: https://doi.org/10.1109/access.2022.3166920

IF: 3.9

2022-01-01

IEEE Access

Abstract:The remote data possession checking mechanism can effectively verify the integrity of outsourced data, which can usually be divided into public verification and private verification. The verifier of public verification can be any cloud user, while private verification can only be the data owner. However, in most practical situations, the data owner expects that only a specific verifier can perform integrity checking tasks and that verifier cannot gain any knowledge about the data. Yan et al. proposed a remote data possession checking scheme with the designated verifier, which can guarantee that only the designated verifier can check data integrity, whereas others cannot do it. However, this scheme relies on public key infrastructure technology and does not consider data privacy protection issues. To overcome these shortcomings, we propose an identity-based remote data possession checking scheme that satisfies the data owner's requirement to specify a unique verifier. Moreover, in this scheme, we use a random integer to blind data integrity proof to protect data privacy and use Merkle hash tree structure to achieve dynamic update of data. At the same time, our scheme can avoid the complex certificate management in public key infrastructure. We proved the safety of our scheme based on the discrete logarithm assumption and the computational Diffie-Hellman assumption. Theoretical analysis and experimental results show that our scheme is feasible and effective in practical applications.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhiwei Wang,Qingqing Chen,Lei Liu

DOI: https://doi.org/10.1109/jiot.2023.3242959

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In this Internet of Things era, privacy preserving is one of the most vital barriers for personal data sharing. In this article, we present a secure and privacy-preserving data sharing protocol over the permissioned blockchains which require to certificate the users before they submit the transactions. We use the structure-preserving Groth signature to construct the anonymous credentials for satisfying the requirement of permissioned blockchains, and the anonymous credentials does not disclose the real identities of data owners. We prove that the anonymous credential in our protocol achieves the ideal functionality. For the secure access control and privacy protection of the data accessors, we propose an efficiently anonymous authentication scheme which utilizes the ElGamal commitment and the one-out-of-many proof to ensure a data accessor is authorized, but any unauthorized entities cannot learn the real identity of the data accessor, and even the data owner does not know who (although in the access control list) and when downloads his/her data. The blockchain platform is used to record the data storing, access control list, and the storage addresses, which helps to enhance the security level of the protocol. We implement our protocol over the ThinkPad, the RaspBerry Pi, the Huawei cloud, and the Hyperledger Fabric, and the experiments show the good performances.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wei Ren,Kui Ren,Wenjing Lou,Yanchao Zhang

DOI: https://doi.org/10.4108/icst.qshine2008.3824

2008-01-01

Abstract:Privacy-aware Public Key Infrastructure (PKI) can maintain user access control and yet protect user privacy, which is envisioned as a promising technique in many emerging applications. To justify the applicability of privacy-aware PKI and optimize the performance, it is highly important to ensure the efficiency of handling user revocations. In practice, user revocation can be due to various predictable and unpredictable reasons, e.g., subscription expiration, network access policy violation, group changing, secret key exposure, etc. Both predictable and unpredictable reasons can happen concurrently, which makes the design of efficient user revocation mechanism challenging. In this paper, we study how to achieve optimized user revocation cost with respect to various revocation approaches. We also propose an advanced scheme Delta-RL that ensures an optimized overall performance in terms of communication, computation and storage, as justified by the extensive analysis.

Tao Yang,Liyong Tang,Lingbo Kong,Zhong Chen

DOI: https://doi.org/10.1109/fskd.2012.6233869

2012-01-01

Abstract:Recently, distributed online social networks (OSNs) are developed to address the security and privacy issues in centralized OSNs. Identity based cryptography (IBC) was introduced into distributed OSNs recently for better identity verification and authentication purposes. However, current IBC-based solutions in OSNs could not address the problem of secure private key issuing. In this paper we propose PEKING: a novel Pivacy Enhanced Key IssuiNG scheme for distributed online social networks using IBC. Our scheme adopts key generate center (KGC) and key privacy assistants (PAs) to issue keys to peers securely. In the scheme, PAs can be selected from users' friends. Neither KGC nor PAs can impersonate the users to obtain the private keys. Furthermore, to maintain the security of PAs, we develop a scheme to authenticate PAs using Byzantine fault tolerance protocol. The experimental results show that PEKING performs effectively and efficiently, and is able to support large scale networks.

Yazhou Wang,Bing Li,Yan Zhang,Jiaxin Wu,Guozhu Liu,Yuqi Li,Zhen Mao

DOI: https://doi.org/10.1016/j.jisa.2023.103610

IF: 4.96

2023-09-29

Journal of Information Security and Applications

Abstract:Blockchain technology is widely used in the field of digital currency because of its non-tamperability, traceability, and decentralization. Blockchain's private key is usually used to prove the ownership of the cryptocurrency. However, this private key managed by the blockchain wallet faces the challenge of secure storage. Once the private key is leaked or stolen, the user's digital assets will be permanently lost. To solve the storage issue of the private key, we propose a novel approach based on facial biometrics and a physical unclonable function (PUF) device to generate a secure blockchain's private key. Firstly, to protect user anonymity and enhance the security of the private key, a user's facial biometrics is bound with a device's PUF fingerprint to generate the trusted private keys online without being stored in a third-party server or an external device. Secondly, to prevent the leakage of sensitive data, we utilize the correctness and perfectness of secret sharing to protect the helper data to prevent attackers from obtaining sensitive information about the fusion template. Thirdly, we give the formal security proof of our proposed scheme and conduct the informal security analysis. The experiment results demonstrate our scheme achieves a better EER (Equal Error Rate) of 2.02% in terms of accuracy and takes about 1008ms to generate a private key in terms of efficiency. Moreover, our scheme can resist various attacks such as password guessing , stolen mobile device, user impersonation, physical and cloning, and information leakage attacks. Finally, we develop a blockchain wallet prototype without modifying the blockchain protocol to achieve transfer transactions for demonstrating the usability and security of our proposed approach in a real-world scenario.

computer science, information systems

Dawei Zhao,Haipeng Peng,Shudong Li,Yixian Yang

DOI: https://doi.org/10.48550/arXiv.1305.6350

2013-05-28

Abstract:Recently, Li et al. analyzed Lee et al.'s multi-server authentication scheme and proposed a novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. They claimed that their scheme can resist several kinds of attacks. However, through careful analysis, we find that Li et al.'s scheme is vulnerable to stolen smart card and offline dictionary attack, replay attack, impersonation attack and server spoofing attack. By analyzing other similar schemes, we find that the certain type of dynamic ID based multi-server authentication scheme in which only hash functions are used and no registration center participates in the authentication and session key agreement phase is hard to provide perfect efficient and secure authentication. To compensate for these shortcomings, we improve the recently proposed Liao et al.'s multi-server authentication scheme which is based on pairing and self-certified public keys, and propose a novel dynamic ID based remote user authentication scheme for multi-server environments. Liao et al.'s scheme is found vulnerable to offline dictionary attack and denial of service attack, and cannot provide user's anonymity and local password verification. However, our proposed scheme overcomes the shortcomings of Liao et al.'s scheme. Security and performance analyses show the proposed scheme is secure against various attacks and has many excellent features.

Cryptography and Security

Xiuxia Tian,Ling Huang,Tony Wu,Xiaoling Wang,Aoying Zhou

DOI: https://doi.org/10.1109/icde.2016.7498383

2016-05-01

Abstract:Outsourcing keys (including passwords and data encryption keys) to professional password managers (honest-but-curious service providers) is attracting more and more attention from the researchers and users in the era of cloud computing. However, existing solutions in traditional data outsourcing scenario are unable to simultaneously meet the following three security requirements for keys outsourcing: 1)Confidentiality and privacy of keys; 2)Search privacy on identity attributes tied to keys; 3)Owner controllable authorization over his/her shared keys. In this paper, we propose CloudKeyBank, the first unified key management framework that addresses all the three goals above. To implement CloudKeyBank efficiently, we propose a new cryptographic primitive named Searchable Conditional Proxy Re-Encryption (SC-PRE) which combines the techniques of Hidden Vector Encryption (HVE) and Proxy Re-Encryption (PRE) seamlessly.